Channels

Services

Firefox security and start-up problems fixed

Mozilla has released Firefox 3.5.1 to fix the recently reported security vulnerability in the Just-in-Time (JIT) JavaScript compiler, an exploit for the Windows version of which is already doing the rounds. Attackers can exploit the vulnerability to inject and execute code on vulnerable systems. Since JIT is a new feature that only appeared in Firefox 3.5, prior versions do not contain the vulnerability. Users who had previously deactivated JIT as a work around can now safely re-activate it, after installing the update.

The Firefox development team has also fixed the slow launch bug in the Windows version. The cause of the problem was that, since some Windows systems lack the Windows CryptoAPI, the developers had chosen the alternative of initialising the Network Security Services random number generator with a seed number generated by reading files from the Internet Explorer cache folder and the Windows temporary file folder. Frequent use can leave both folders containing a large number of files, causing the process to take an inconvenient amount of time. According to the Bugzilla entry, the developers have now replaced the RtlGenRandom CryptoAPI call with CryptGenRandom, available on all systems.

Under Linux and Mac OS X, the NSS library opens the /dev/urandom pseudo-file so there is no significant delay in seeding the generator. Frans Bourna, who discovered the problem, has stated on Bugzilla, that he has the impression that many Firefox developers don't really give a lot of thought to the Windows version, as most of them are developing on Linux systems and are consequently unaware of potential problems with Windows.